[strongSwan] Android/Stongswan Integration

zhen chen zchen2711 at yahoo.com
Sun Nov 20 00:41:48 CET 2011

Hi Tobias, 

I followed the procedure to create the CA certificate and imported it to the Android emulator successfully. 
Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in the emulator. Then tried to connect to it: 

the logcat is giving me the foloowing errors:

D/SProxy_charon(  351): stopping charon, success? true
D/VpnService(  351):   Local IP:, if: eth0
D/VpnService(  351):        VPN UP: down
I/SProxy_charon(  351): Start VPN daemon: charon
D/SProxy_charon(  351): charon is running after 0 msec
D/SProxy_charon(  351): service not yet listen()ing; try again
I/charon  (  362): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5 
I/charon  (  362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running
I/charon  (  362): 00[JOB] spawning 16 worker threads
I/keystore(   37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
I/charon  (  362): 07[LIB] found unsupported critical X.509 extension
I/charon  (  362): 07[LIB] OpenSSL X.509 parsing failed
I/charon  (  362): 07[LIB] building CRED_CERTIFICATE - X509 failed, tried 2 builders
I/charon  (  362): 07[CFG] failed to load CA certificate
I/charon  (  362): 07[CFG] using CA certificate, gateway identitiy ''
I/charon  (  362): 07[CFG] status of Android plugin changed: 4

Now it seems like Android is not able to load the certificate I created using ipsec pki.  
Is that because the way I created the CA cert? or something is missing in the Android charon? 


 From: Tobias Brunner <tobias at strongswan.org>
To: zhen chen <zchen2711 at yahoo.com> 
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Tuesday, November 15, 2011 9:52 AM
Subject: Re: [strongSwan] Android/Stongswan Integration
Hello Zhen,

> I have been trying to bring Strongswan 4.5.3 to Android

If possible, you should update to 4.6.1 as there are several Android
related improvements included in that release.

> 1. When I ran charon in adb shell, it started, but said: "android plugin
> failed to load, can't open android control socket".

That's because the control socket is only available, if charon gets
started by the patched Android VPN GUI.  With 4.6.1 it's possible to use
the plugin even if charon is not started by the GUI.

> I did some search, the android plugin is something related to DNS.

That's correct it installs DNS servers received from the gateway where
Android expects them to be (there is no resolv.conf on Android).

> Question: do i have to to enable this plugin for VPN to work on the
> emulator?

Only if you need DNS servers installed, or logging via logcat.  These
are currently the only two functions provided by the plugin, which are
usable without GUI patch.

> If so, i did some ./configure --enable-android, it failed
> because it couldn't find a requied lib. 

Running ./configure won't work.  To enable/disable plugins you have to
edit the plugin list in the top Android.mk within the strongSwan source
tree.  But the plugin is enabled anyway, by default, it just can't be
loaded without the control socket provided by the frontend in 4.5.3.

> 2. In the frontend integration site, it says it needs CA assigned certs,
> quoted below.
> Question: Does the certificate have to be issued by CA? Would
> self-assigned certificate work? I am just playing with it and wouldn't
> want to spend $1500 to buy one from verisign. :( 

Don't worry :)  You can absolutely build your own CA (e.g. with the
ipsec pki tool [1]).  Just make sure you install the CA certificate in
the Android certificate store as described on the page you quoted.  Then
use this CA to issue a certificate for the gateway you want to test against.

With 4.6.1 you now have also the option to build starter and stroke
which allows you to use an ipsec.conf based configuration, instead of
using the frontend patch.


[1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111119/1b93587c/attachment.html>

More information about the Users mailing list